The tragic events around the Ocean Gate Titan submersible disaster (18-June-2023) have many layers of the onion to peel away. This privately owned and operated submersible is believed to have imploded whilst on a journey down to the Titanic at 3800m water depth following a loss of communication.
If reports are true, then it beggars belief that anyone would choose to take any un-certified sub-maritime vessel to the depths of the Titanic, some 3800m of water, having only ātestedā the submersible to 4000m.Ā Ā I would expect that most people outside of Engineering and Science would not really comprehend what such a pressure (circa 380 barg/380 atmospheres) physically is, or the risks they are taking at such a water depth. Ā
It isnāt unreasonable for those signing any waiver to expect that those asking them to sign have done their due diligence and followed established engineering practices. Ā If the quotes attributed to the now deceased Stockton Rush are accurate, then it (tragically) appears not.Ā Ā Ā Ā
Many things we do in life involve risks and hazards. Those risks/hazards often have associated severities and consequences, as well as an expected frequency of being likely to occur. I would hope that most of us in Engineering understand the Hazard Triangle, ALARP (As low as reasonably practicable) and ISD (Inherently safe design). For those who do not, then our esteemed colleagues at the UK HSE have articulated it far better than I believe I could ever do:
The cornerstone of what we do should be that it is done safely and with minimum impact/harm to people and the environmentā¦ as far as reasonably practicable.Ā And there is that phrase again āas far as reasonably practicable.āĀ We should take the time to consider what that means, and the basis of ALARP.Ā
To quote the above mentioned HSE, ALARP is āshort for “as low as reasonably practicable”. Reasonably practicable involves weighing a risk against the trouble, time and money needed to control it. Thus, ALARP describes the level to which we expect to see workplace risks controlled. ā
Note that in the above diagram, BAT means āBest Available Techniques/Technologyā.
Where possible, we should primarily look to remove the hazard: No hazard, no risk.Ā If only life was that simple!Ā If one chooses to travel to the depths of the ocean, then there is one hazard we cannot remove, only manage āas far as reasonably practicableā by design and practice.Ā Where we cannot, we should seek to minimise/control the severity of those risks āas far as reasonably practicableā; or greatly reduce the frequency of such risks leading to catastrophe.Ā Ā
This of course assumes that people can and do understand the risks and are aware of and understand the severity, frequency and failure modes.Ā As above, I would question whether those who chose to take the Ocean Gate Titan submersible were cognisant of the actual risk(s) they were taking when they signed the waivers prior to descending the depths of the ocean.Ā To be able to evaluate a risk, one must understand it.Ā
It seems here that (I would challenge) the failure mechanisms of the anisotropic carbon fibre tubular section of the Ocean Gate Titan submersible were not adequately understood and not comprehensively (enough) tested (OceanGate Was Warned of Safety Concerns with Titanic Mission – The New York Times (nytimes.com)).Ā I know nothing about designing submersibles. I do however have an appreciation of what 360 barg pressure is and the consequences of such a hazard.Ā
As an engineer, I absolutely would not āvisitā the Titanic in an uncertified vessel, especially one that hasnāt gone through HAZOP and design verifications by independent bodies and Engineers who are knowledgeable about the design and operation of submersibles.Ā
Given some of his public statements, some may question whether Ocean Gateās CEO Stockton Rush was one of those people.Ā As Stockton Rush did have an engineering degree (Aeronautical, I believe), then it is somewhat astonishing that he seemed to be dismissive of the Hazard Triangle, ALARP and ISD.Ā
If true, then the statement associated to Stockton Rush as being “tired of industry players who try to use a safety argument to stop innovation” (Titan sub CEO dismissed safety warnings as ‘baseless cries', emails show – BBC News) is only marginally less astonishing than the quote (also attributed to Stockton Rush) āIf youāre not breaking things then youāre not innovatingā.Ā Ā
No Stockton Rush – safely does not āstifleā innovation ā it should and does drive it. The more I read about the Ocean Gate Titan submersible tragedy, the more I shake my head in absolute disbelief as to how such a project ever got that far.
I found the statement from the now deleted OceanGate website (link no longer active) sobering, especially the claim of complete validation (ācompleteā being an absolute term):
āOceanGate CEO and Founder, Stockton Rush, completed Titanās 4000-meter validation dive in December 2018. Not only did this dive completely validate Ocean Gateās innovative engineering and the construction of Titanās carbon fibre and titanium hull, it also means that all systems are GO for the 2019 Titanic Survey Expedition ā the worldās deepest adventure ā scheduled for June to August 2019.ā
I would question any engineer who would or does make clams as absolutes. It is tragically ironic that the Titanic was once claimed to be āunsinkableā by Philip Franklin, White Star Line vice-president, 1912.
“There is no danger that Titanic will sink. The boat is unsinkable and nothing but inconvenience will be suffered by the passengers.” Phillip Franklin, White Star Line vice-president, 1912
An āabsoluteā is a long way off ALARP.
Consider how we as engineers pressure test ā we take any vessel or pipe to 1.5 times the MOP (Maximum operating pressure) and design (with margin) for much greater than this (allowing for corrosion, stresses, etc).Ā
That we do not take such pressure vessels/piping to their design pressure highlights the (reasonable) lack of faith in absolutes, and the need to include for pressure relief and safety systems into design. Ā
Obviously, submersibles have nowhere to ārelieveā such pressures to, so even more reason to practice ALARP and design with very conservative margins (and safety systems) given the one absolute we do have here are the hazards of the deep ocean.Ā
Given the Titanic is at 3800m water depth, that is about 380 barg.Ā 1.5 times āMOPā is 570 barg (5700m water depth) is what I would have expected the design team to have tested to as a minimum. Ā This is well in excess of the (apparent) 4000 m āvalidation diveā Stockton Rush is quoted as claiming.Ā
I would contest that this is not a āValidation Diveā, rather a preliminary āservice testā that should have preceded additional dives to access the failure modes/mechanism of this vessel design to depths well in excess of the 4000m quoted on (the now deactivated) OceanGate web portal.
To only ātestā something to circa 5% over itās operational range isnāt a test, it is a leap of faith! Even more so when a relatively unused (in the application chosen) anisotropic composite material.Ā
āGood engineeringā would/should surely dictate testing any such vessel to destruction so as to determine what the actual design and failure pressures are and where the limits of the āTolerable Risk Zoneā exists (even before we get into cyclical stressing criteria, De-lamination loads and fatigue of these composite materials).Ā
Part of this process must be to validate with repeatability the frequencies of failure upon demand and to āas far as reasonably practicableā those likely failure mechanisms within the ātolerable risk zoneā of the ALARP Triangle. Ā
To just ādo it a few timesā only shows that at āthose timesā it didnāt fail rather than to given insight as to those situations where it would fail (as apparently happened). Ā Someone who knows far, far more than I do on this topic can be found on YouTube:
I have absolutely no idea if Ocean Gate did this? It does not appear that they did, nor adequately undertake sufficient destructive and non-detective testing. Ā If it was me, then I would want a significant design margin on top of 1.5 MOP and many, many dive tests to 6000m+ water depth.
I would also not make my life dependent upon by something controlled by a video-game controller; rather would have expected to see back-up and SIL (Safety Integrity Level) rated systems with multiple layers of redundancy.
The parallels with the Petrobras P36 Floating Production Facility Sinking (20 March, 2001 – reference www.drillingformulas.com ) Ā and death of 11 facility workers are sobering given the common lack of any detailed hazard analysis that might have identified failure mechanisms and modes.Ā
Perhaps Ocean Gate have these in relation to the Titan and have chosen not to make public? Ā Ā It is interesting what the October 2008 NASA ViTS Meeting Presentation drew as itās conclusions from this P-36 event (www.sma.nasa.gov):
- Poor design Placement of key safety-critical parts
- Component failure without sufficient backups
- Lack of training and communication
- Focus on cost-cutting.
We await further information as to the Ocean Gate Titan submersible disaster before we can see how many of these are applicable. One point to note as to this NASA presentation, and as a quote I hope ALL engineers will take to heart is:
āEfficiency and performance should not supersede the need and continuous pursuit of safe operationsā.
Perhaps had Stockton Rush read this and considered such, then perhaps the Ocean Gate Titan submersible loss wouldnāt have occurred? Ā It seems a tragedy that should have and could have been avoided had standard engineering hazard identification and controls been employed.Ā Ā
Taking any vessel to 3800m water depth is always going to have risks that cannot easily be mitigated – as highlighted by the obvious elephant in the room that the US military and their billions of dollars of research funds DONāT take their submarines to such depths. Ā
By comparison, most military submarines are limited to about 500m water depth, less than 15% of the depth of the Titanic.
Safest option would always be to not visit the Titanic in the first place.
Just because you can, does not mean that you should.
